Browse Source

Merge pull request #13453 from neheb/ssh

libssh: update to 0.9.5
lilik-openwrt-22.03
Rosen Penev 4 years ago
committed by GitHub
parent
commit
22d4224661
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 3 additions and 345 deletions
  1. +3
    -3
      libs/libssh/Makefile
  2. +0
    -73
      libs/libssh/patches/0001-libcrypto-compat-add-extra-functions.patch
  3. +0
    -63
      libs/libssh/patches/0002-libcrypto-remove-deprecated-API-usage.patch
  4. +0
    -165
      libs/libssh/patches/0003-CVE-2020-16135.patch
  5. +0
    -41
      libs/libssh/patches/0004-channels-Avoid-returning-SSH_AGAIN-from-ssh_channel_.patch

+ 3
- 3
libs/libssh/Makefile View File

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=libssh
PKG_VERSION:=0.9.4
PKG_RELEASE:=3
PKG_VERSION:=0.9.5
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://www.libssh.org/files/0.9/
PKG_HASH:=150897a569852ac05aac831dc417a7ba8e610c86ca2e0154a99c6ade2486226b
PKG_HASH:=acffef2da98e761fc1fd9c4fddde0f3af60ab44c4f5af05cd1b2d60a3fa08718
PKG_MAINTAINER:=Mislav Novakovic <mislav.novakovic@sartura.hr>
PKG_LICENSE:=LGPL-2.1-or-later BSD-2-Clause


+ 0
- 73
libs/libssh/patches/0001-libcrypto-compat-add-extra-functions.patch View File

@ -1,73 +0,0 @@
From ce7de0261f0c1f1640da5673dd24939a37e33bd9 Mon Sep 17 00:00:00 2001
From: Rosen Penev <rosenp@gmail.com>
Date: Thu, 23 Jan 2020 18:53:06 -0800
Subject: [PATCH 1/2] libcrypto-compat: add extra functions
Changed the define to compare OPENSSL_API_COMPAT instead of version as
OpenSSL can be compiled in different ways. One is to disable all
deprecated APIs.
Added extra functions. The next commit will switch to them.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
---
src/libcrypto-compat.c | 14 ++++++++++++++
src/libcrypto-compat.h | 8 +++++++-
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/src/libcrypto-compat.c b/src/libcrypto-compat.c
index 048d1781..3604763f 100644
--- a/src/libcrypto-compat.c
+++ b/src/libcrypto-compat.c
@@ -280,6 +280,11 @@ void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
OPENSSL_free(ctx);
}
+int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx)
+{
+ EVP_CIPHER_CTX_init(ctx);
+}
+
HMAC_CTX *HMAC_CTX_new(void)
{
HMAC_CTX *ctx = OPENSSL_zalloc(sizeof(HMAC_CTX));
@@ -394,3 +399,12 @@ int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
}
return 1;
}
+
+const char *OpenSSL_version(int type)
+{
+ return SSLeay_version(type);
+}
+unsigned long OpenSSL_version_num(void)
+{
+ return SSLeay();
+}
diff --git a/src/libcrypto-compat.h b/src/libcrypto-compat.h
index bda0473e..44e14801 100644
--- a/src/libcrypto-compat.h
+++ b/src/libcrypto-compat.h
@@ -34,6 +34,8 @@ int EVP_MD_CTX_reset(EVP_MD_CTX *ctx);
EVP_MD_CTX *EVP_MD_CTX_new(void);
void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
+int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx);
+
HMAC_CTX *HMAC_CTX_new(void);
int HMAC_CTX_reset(HMAC_CTX *ctx);
void HMAC_CTX_free(HMAC_CTX *ctx);
@@ -44,6 +46,10 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
void DH_get0_key(const DH *dh,
const BIGNUM **pub_key, const BIGNUM **priv_key);
int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
+
+const char *OpenSSL_version(int type);
+unsigned long OpenSSL_version_num(void);
+
#endif /* OPENSSL_VERSION_NUMBER */
#endif /* LIBCRYPTO_COMPAT_H */
--
2.24.1

+ 0
- 63
libs/libssh/patches/0002-libcrypto-remove-deprecated-API-usage.patch View File

@ -1,63 +0,0 @@
From 73f0e186964126c9e2bfba43488f543ace54746b Mon Sep 17 00:00:00 2001
From: Rosen Penev <rosenp@gmail.com>
Date: Thu, 23 Jan 2020 18:54:51 -0800
Subject: [PATCH 2/2] libcrypto: remove deprecated API usage
EVP_CIPHER_CTX_init was replaced with _reset.
Removed EVP_CIPHER_CTX_cleanup. The successive _free call handles that.
Removed old SSLeay function usage.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
---
src/libcrypto.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/src/libcrypto.c b/src/libcrypto.c
index b3792264..7ce7d93a 100644
--- a/src/libcrypto.c
+++ b/src/libcrypto.c
@@ -541,7 +541,7 @@ static int evp_cipher_set_encrypt_key(struct ssh_cipher_struct *cipher,
int rc;
evp_cipher_init(cipher);
- EVP_CIPHER_CTX_init(cipher->ctx);
+ EVP_CIPHER_CTX_reset(cipher->ctx);
rc = EVP_EncryptInit_ex(cipher->ctx, cipher->cipher, NULL, key, IV);
if (rc != 1){
@@ -574,7 +574,7 @@ static int evp_cipher_set_decrypt_key(struct ssh_cipher_struct *cipher,
int rc;
evp_cipher_init(cipher);
- EVP_CIPHER_CTX_init(cipher->ctx);
+ EVP_CIPHER_CTX_reset(cipher->ctx);
rc = EVP_DecryptInit_ex(cipher->ctx, cipher->cipher, NULL, key, IV);
if (rc != 1){
@@ -657,7 +657,6 @@ static void evp_cipher_decrypt(struct ssh_cipher_struct *cipher,
static void evp_cipher_cleanup(struct ssh_cipher_struct *cipher) {
if (cipher->ctx != NULL) {
- EVP_CIPHER_CTX_cleanup(cipher->ctx);
EVP_CIPHER_CTX_free(cipher->ctx);
}
}
@@ -1481,11 +1480,11 @@ int ssh_crypto_init(void)
if (libcrypto_initialized) {
return SSH_OK;
}
- if (SSLeay() != OPENSSL_VERSION_NUMBER){
+ if (OpenSSL_version_num() != OPENSSL_VERSION_NUMBER){
SSH_LOG(SSH_LOG_WARNING, "libssh compiled with %s "
"headers, currently running with %s.",
OPENSSL_VERSION_TEXT,
- SSLeay_version(SSLeay())
+ OpenSSL_version(OpenSSL_version_num())
);
}
#ifdef CAN_DISABLE_AESNI
--
2.24.1

+ 0
- 165
libs/libssh/patches/0003-CVE-2020-16135.patch View File

@ -1,165 +0,0 @@
From 1493b4466fa394b321d196ad63dd6a4fa395d337 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 3 Jun 2020 10:04:09 +0200
Subject: [PATCH 1/4] sftpserver: Add missing NULL check for ssh_buffer_new()
Thanks to Ramin Farajpour Cami for spotting this.
Fixes T232
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
---
src/sftpserver.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/sftpserver.c b/src/sftpserver.c
index 5a2110e5..b639a2ce 100644
--- a/src/sftpserver.c
+++ b/src/sftpserver.c
@@ -67,6 +67,12 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {
/* take a copy of the whole packet */
msg->complete_message = ssh_buffer_new();
+ if (msg->complete_message == NULL) {
+ ssh_set_error_oom(session);
+ sftp_client_message_free(msg);
+ return NULL;
+ }
+
ssh_buffer_add_data(msg->complete_message,
ssh_buffer_get(payload),
ssh_buffer_get_len(payload));
--
GitLab
From dbfb7f44aa905a7103bdde9a198c1e9b0f480c2e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 3 Jun 2020 10:05:51 +0200
Subject: [PATCH 2/4] sftpserver: Add missing return check for
ssh_buffer_add_data()
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
---
src/sftpserver.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/sftpserver.c b/src/sftpserver.c
index b639a2ce..9117f155 100644
--- a/src/sftpserver.c
+++ b/src/sftpserver.c
@@ -73,9 +73,14 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {
return NULL;
}
- ssh_buffer_add_data(msg->complete_message,
- ssh_buffer_get(payload),
- ssh_buffer_get_len(payload));
+ rc = ssh_buffer_add_data(msg->complete_message,
+ ssh_buffer_get(payload),
+ ssh_buffer_get_len(payload));
+ if (rc < 0) {
+ ssh_set_error_oom(session);
+ sftp_client_message_free(msg);
+ return NULL;
+ }
ssh_buffer_get_u32(payload, &msg->id);
--
GitLab
From 65ae496222018221080dd753a52f6d70bf3ca5f3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 3 Jun 2020 10:10:11 +0200
Subject: [PATCH 3/4] buffer: Reformat ssh_buffer_add_data()
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
---
src/buffer.c | 35 ++++++++++++++++++-----------------
1 file changed, 18 insertions(+), 17 deletions(-)
diff --git a/src/buffer.c b/src/buffer.c
index a2e6246a..476bc135 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -299,28 +299,29 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer)
*/
int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
{
- buffer_verify(buffer);
+ buffer_verify(buffer);
- if (data == NULL) {
- return -1;
- }
+ if (data == NULL) {
+ return -1;
+ }
- if (buffer->used + len < len) {
- return -1;
- }
+ if (buffer->used + len < len) {
+ return -1;
+ }
- if (buffer->allocated < (buffer->used + len)) {
- if(buffer->pos > 0)
- buffer_shift(buffer);
- if (realloc_buffer(buffer, buffer->used + len) < 0) {
- return -1;
+ if (buffer->allocated < (buffer->used + len)) {
+ if (buffer->pos > 0) {
+ buffer_shift(buffer);
+ }
+ if (realloc_buffer(buffer, buffer->used + len) < 0) {
+ return -1;
+ }
}
- }
- memcpy(buffer->data+buffer->used, data, len);
- buffer->used+=len;
- buffer_verify(buffer);
- return 0;
+ memcpy(buffer->data + buffer->used, data, len);
+ buffer->used += len;
+ buffer_verify(buffer);
+ return 0;
}
/**
--
GitLab
From df0acab3a077bd8ae015e3e8b4c71ff31b5900fe Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 3 Jun 2020 10:11:21 +0200
Subject: [PATCH 4/4] buffer: Add NULL check for 'buffer' argument
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
---
src/buffer.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/buffer.c b/src/buffer.c
index 476bc135..ce12f491 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -299,6 +299,10 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer)
*/
int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
{
+ if (buffer == NULL) {
+ return -1;
+ }
+
buffer_verify(buffer);
if (data == NULL) {
--
GitLab

+ 0
- 41
libs/libssh/patches/0004-channels-Avoid-returning-SSH_AGAIN-from-ssh_channel_.patch View File

@ -1,41 +0,0 @@
From 6417f5a3cac8537ac6f6ff7fc1642dfaa0917fb4 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 16 Apr 2020 11:13:34 +0200
Subject: [PATCH] channels: Avoid returning SSH_AGAIN from
ssh_channel_poll_timeout()
This addresses a regression introduced in 3bad0607, partially fixed in 022409e9,
but the function was still able to return SSH_AGAIN, which was not expected by
callers.
Based on discussion in [1] and [2]
[1] https://gitlab.com/libssh/libssh-mirror/-/merge_requests/101
[2] https://www.libssh.org/archive/libssh/2020-03/0000029.html
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
src/channels.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/channels.c b/src/channels.c
index bcc1c207..9fe309d0 100644
--- a/src/channels.c
+++ b/src/channels.c
@@ -3116,6 +3116,12 @@ int ssh_channel_poll_timeout(ssh_channel channel, int timeout, int is_stderr)
session->session_state == SSH_SESSION_STATE_ERROR) {
rc = SSH_ERROR;
goto out;
+ } else if (rc == SSH_AGAIN) {
+ /* If the above timeout expired, it is ok and we do not need to
+ * attempt to check the read buffer. The calling functions do not
+ * expect us to return SSH_AGAIN either here. */
+ rc = SSH_OK;
+ goto out;
}
len = ssh_buffer_get_len(stdbuf);
if (len > 0) {
--
2.26.2

Loading…
Cancel
Save